in aws/src/integration/java/org/apache/iceberg/aws/lakeformation/LakeFormationTestBase.java [128:252]
public static void beforeClass() throws Exception {
lfRegisterPathRoleName = LF_REGISTER_PATH_ROLE_PREFIX + UUID.randomUUID();
lfPrivilegedRoleName = LF_PRIVILEGED_ROLE_PREFIX + UUID.randomUUID();
lfRegisterPathRoleS3PolicyName = LF_REGISTER_PATH_ROLE_S3_POLICY_PREFIX + UUID.randomUUID();
lfRegisterPathRoleLfPolicyName = LF_REGISTER_PATH_ROLE_LF_POLICY_PREFIX + UUID.randomUUID();
lfRegisterPathRoleIamPolicyName = LF_REGISTER_PATH_ROLE_IAM_POLICY_PREFIX + UUID.randomUUID();
lfPrivilegedRolePolicyName = LF_PRIVILEGED_ROLE_POLICY_PREFIX + UUID.randomUUID();
iam =
IamClient.builder()
.region(Region.AWS_GLOBAL)
.httpClientBuilder(UrlConnectionHttpClient.builder())
.build();
CreateRoleResponse response =
iam.createRole(
CreateRoleRequest.builder()
.roleName(lfRegisterPathRoleName)
.assumeRolePolicyDocument(
"{"
+ "\"Version\":\"2012-10-17\","
+ "\"Statement\":[{"
+ "\"Effect\":\"Allow\","
+ "\"Principal\":{"
+ "\"Service\":[\"glue.amazonaws.com\","
+ "\"lakeformation.amazonaws.com\"],"
+ "\"AWS\":\"arn:aws:iam::"
+ AwsIntegTestUtil.testAccountId()
+ ":root\"},"
+ "\"Action\": [\"sts:AssumeRole\"]}]}")
.maxSessionDuration(ASSUME_ROLE_SESSION_DURATION)
.build());
lfRegisterPathRoleArn = response.role().arn();
// create and attach test policy to lfRegisterPathRole
createAndAttachRolePolicy(
createPolicyArn(lfRegisterPathRoleS3PolicyName),
lfRegisterPathRoleS3PolicyName,
lfRegisterPathRolePolicyDocForS3(),
lfRegisterPathRoleName);
createAndAttachRolePolicy(
createPolicyArn(lfRegisterPathRoleLfPolicyName),
lfRegisterPathRoleLfPolicyName,
lfRegisterPathRolePolicyDocForLakeFormation(),
lfRegisterPathRoleName);
createAndAttachRolePolicy(
createPolicyArn(lfRegisterPathRoleIamPolicyName),
lfRegisterPathRoleIamPolicyName,
lfRegisterPathRolePolicyDocForIam(lfRegisterPathRoleArn),
lfRegisterPathRoleName);
waitForIamConsistency(lfRegisterPathRoleName, lfRegisterPathRoleIamPolicyName);
// create lfPrivilegedRole
response =
iam.createRole(
CreateRoleRequest.builder()
.roleName(lfPrivilegedRoleName)
.assumeRolePolicyDocument(
"{"
+ "\"Version\":\"2012-10-17\","
+ "\"Statement\":[{"
+ "\"Effect\":\"Allow\","
+ "\"Principal\":{"
+ "\"AWS\":\"arn:aws:iam::"
+ AwsIntegTestUtil.testAccountId()
+ ":root\"},"
+ "\"Action\": [\"sts:AssumeRole\","
+ "\"sts:TagSession\"]}]}")
.maxSessionDuration(ASSUME_ROLE_SESSION_DURATION)
.build());
lfPrivilegedRoleArn = response.role().arn();
principalUnderTest =
DataLakePrincipal.builder().dataLakePrincipalIdentifier(lfPrivilegedRoleArn).build();
// create and attach test policy to lfPrivilegedRole
createAndAttachRolePolicy(
createPolicyArn(lfPrivilegedRolePolicyName),
lfPrivilegedRolePolicyName,
lfPrivilegedRolePolicyDoc(),
lfPrivilegedRoleName);
waitForIamConsistency(lfPrivilegedRoleName, lfPrivilegedRolePolicyName);
// build lf and glue client with lfRegisterPathRole
lakeformation =
buildLakeFormationClient(lfRegisterPathRoleArn, "test_lf", AwsIntegTestUtil.testRegion());
glue = buildGlueClient(lfRegisterPathRoleArn, "test_lf", AwsIntegTestUtil.testRegion());
// put lf data lake settings
GetDataLakeSettingsResponse getDataLakeSettingsResponse =
lakeformation.getDataLakeSettings(GetDataLakeSettingsRequest.builder().build());
lakeformation.putDataLakeSettings(
putDataLakeSettingsRequest(
lfRegisterPathRoleArn, getDataLakeSettingsResponse.dataLakeSettings(), true));
// Build test glueCatalog with lfPrivilegedRole
glueCatalogPrivilegedRole = new GlueCatalog();
assumeRoleProperties = Maps.newHashMap();
assumeRoleProperties.put("warehouse", "s3://path");
assumeRoleProperties.put(
AwsProperties.CLIENT_ASSUME_ROLE_REGION, AwsIntegTestUtil.testRegion());
assumeRoleProperties.put(AwsProperties.GLUE_LAKEFORMATION_ENABLED, "true");
assumeRoleProperties.put(AwsProperties.GLUE_ACCOUNT_ID, AwsIntegTestUtil.testAccountId());
assumeRoleProperties.put(
HttpClientProperties.CLIENT_TYPE, HttpClientProperties.CLIENT_TYPE_APACHE);
assumeRoleProperties.put(AwsProperties.CLIENT_ASSUME_ROLE_ARN, lfPrivilegedRoleArn);
assumeRoleProperties.put(
AwsProperties.CLIENT_ASSUME_ROLE_TAGS_PREFIX
+ LakeFormationAwsClientFactory.LF_AUTHORIZED_CALLER,
LF_AUTHORIZED_CALLER_VALUE);
glueCatalogPrivilegedRole.initialize("test_privileged", assumeRoleProperties);
// Build test glueCatalog with lfRegisterPathRole
assumeRoleProperties.put(AwsProperties.GLUE_LAKEFORMATION_ENABLED, "false");
assumeRoleProperties.put(AwsProperties.CLIENT_ASSUME_ROLE_ARN, lfRegisterPathRoleArn);
assumeRoleProperties.remove(
AwsProperties.CLIENT_ASSUME_ROLE_TAGS_PREFIX
+ LakeFormationAwsClientFactory.LF_AUTHORIZED_CALLER);
assumeRoleProperties.put(
AwsProperties.CLIENT_FACTORY, AssumeRoleAwsClientFactory.class.getName());
glueCatalogRegisterPathRole = new GlueCatalog();
glueCatalogRegisterPathRole.initialize("test_registered", assumeRoleProperties);
// register S3 test bucket path
deregisterResource(testBucketPath);
registerResource(testBucketPath);
}